| Message ID | 20240202121531.2550018-1-lizhi.xu@windriver.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel+bounces-49819-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7301:9bc1:b0:106:209c:c626 with SMTP id op1csp384293dyc;
Fri, 2 Feb 2024 04:17:11 -0800 (PST)
X-Google-Smtp-Source:
AGHT+IEHAdes0A5/kuGL96tASUWAYt8Fg7f6NVRmBClNwAwTqCH51ohdiBonNTnXYd3N5taJeYUu
X-Received: by 2002:a05:6a20:43a6:b0:19b:435a:a139 with SMTP id
i38-20020a056a2043a600b0019b435aa139mr8982372pzl.11.1706876231343;
Fri, 02 Feb 2024 04:17:11 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1706876231; cv=pass;
d=google.com; s=arc-20160816;
b=Im4ylajyYpL6OesaZayVRUP6B9OLSlZXvnoTNO1d/ProTSampCNb7VdGOrQrE48jd9
dhyMvrZ5Hkrbdcnj1ERBIOKnywqsL4fe3gb9pOL79ibJh6i+xDdXyw/gnE2bCVXBt0MD
AMT4F6HSvMYeQSsvn5jeqctD+4JF7+tAPjwCFFpZLyIZSLXAJeuOGsdWzbGHFHNSG+Vr
FEED+6fvqdZX42Ed0LdtNTzktoSm478GivqIulmvCEKYmmKFFjbH3M8IdEwpCiRYShYU
0msA7KTNPPftWHxb9plOfPQzJRcDuypIBbI3INX3NtDYDT4WQOM90Vg5SkRiJAoIk2Lt
0m4A==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=content-transfer-encoding:mime-version:list-unsubscribe
:list-subscribe:list-id:precedence:references:in-reply-to:message-id
:date:subject:cc:to:from:dkim-signature;
bh=UYcTMeXPca+N73s96cgEXe+7bZsHSgkXHU5oK5Zc7aU=;
fh=utdR+ziUHpcR5HS+0ZycMjNckF6+qT1fmguW14UPkNo=;
b=oWRFoBomNmKjz7icALky+P5tPlQsfo3MClUYRAJLT6Cgx/NbkjJIgSyHmE5Rsthf88
QUZfTZsgewpvjrn8jlUcTGs2tIvCEM2gC3x3Uvixo5KvTiSiCWHsw7EfmgTBNHlZgFJK
NVm6snBz2KbqPa4E4rUc6UYobW2TEHpXfUTvMFTGZjDNR+ZhGqSQViQwQzndSee9pTtW
C6g3btES9eh7HRfka1PHAEy1AP2/N4ROfXGfbQ7At0YjFcbJYea0vCBdfjX7WjlDda0M
gJrPbhkypJTsGWUBFjq0GXri/rtIwAp4FyCfUyRGrCsKvAq2iEP9h54hsx1DzA/t2Y3f
5vFA==;
dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
dkim=pass header.i=@windriver.com header.s=PPS06212021
header.b=WCVxY8Vi;
arc=pass (i=1 spf=pass spfdomain=windriver.com dkim=pass
dkdomain=windriver.com dmarc=pass fromdomain=windriver.com);
spf=pass (google.com: domain of
linux-kernel+bounces-49819-ouuuleilei=gmail.com@vger.kernel.org designates
2604:1380:45e3:2400::1 as permitted sender)
smtp.mailfrom="linux-kernel+bounces-49819-ouuuleilei=gmail.com@vger.kernel.org";
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=windriver.com
X-Forwarded-Encrypted: i=1;
AJvYcCWmlZFtWshoplu4roFkqScYbvWwGD6GqVbt1KL8zjSmuHlJbggNGvMJkGusKZWen2GPuY/mpOR+vBhQYNXxubjGsEMQcg==
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org.
[2604:1380:45e3:2400::1])
by mx.google.com with ESMTPS id
n10-20020a63e04a000000b005d8bda83626si1547844pgj.12.2024.02.02.04.17.11
for <ouuuleilei@gmail.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Fri, 02 Feb 2024 04:17:11 -0800 (PST)
Received-SPF: pass (google.com: domain of
linux-kernel+bounces-49819-ouuuleilei=gmail.com@vger.kernel.org designates
2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1;
Authentication-Results: mx.google.com;
dkim=pass header.i=@windriver.com header.s=PPS06212021
header.b=WCVxY8Vi;
arc=pass (i=1 spf=pass spfdomain=windriver.com dkim=pass
dkdomain=windriver.com dmarc=pass fromdomain=windriver.com);
spf=pass (google.com: domain of
linux-kernel+bounces-49819-ouuuleilei=gmail.com@vger.kernel.org designates
2604:1380:45e3:2400::1 as permitted sender)
smtp.mailfrom="linux-kernel+bounces-49819-ouuuleilei=gmail.com@vger.kernel.org";
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=windriver.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
[52.25.139.140])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by sv.mirrors.kernel.org (Postfix) with ESMTPS id 10468283D4C
for <ouuuleilei@gmail.com>; Fri, 2 Feb 2024 12:17:11 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
by smtp.subspace.kernel.org (Postfix) with ESMTP id C8EE3141980;
Fri, 2 Feb 2024 12:16:57 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
dkim=pass (2048-bit key) header.d=windriver.com header.i=@windriver.com
header.b="WCVxY8Vi"
Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com
[205.220.166.238])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by smtp.subspace.kernel.org (Postfix) with ESMTPS id A3F497E76D;
Fri, 2 Feb 2024 12:16:53 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
arc=none smtp.client-ip=205.220.166.238
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
t=1706876215; cv=none;
b=PeJiuAg72LgCjfK6bEYbUR3NPhrVCpIFZhhfKIvK9YouAJhAQYDXhtjTdYGIoleuroXniFvj/KVlevABBue14Sytf9khI+7LAcgVVyH0jmrqxookcKz4qyOmNF4s0h8UD6kuS44MPdnrQkROuhlHXrB+6QP/GYELzAGg7D7kC18=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
s=arc-20240116; t=1706876215; c=relaxed/simple;
bh=l/aopIMOwoJ7HIS7T+cRzAwMN/3xy7HCXK2/ibsdft4=;
h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References:
MIME-Version:Content-Type;
b=GMKyJI6hQS/MPTQEdtx8UHT8AztXv+q6QP+rLmcsSV5sGUixTQJyGnmVWte9cAV3vAf8fNM1IDh0lwaBRlLQxBmBxJSWVeWpNp/RRJvcUMNmH3uw0zvnQEcVNEUoLX7Q1KYzk5hVTKEvEss9EnJ6tweJM9wwwx8/QbtkLObpVng=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
dmarc=pass (p=reject dis=none) header.from=windriver.com;
spf=pass smtp.mailfrom=windriver.com;
dkim=pass (2048-bit key) header.d=windriver.com header.i=@windriver.com
header.b=WCVxY8Vi; arc=none smtp.client-ip=205.220.166.238
Authentication-Results: smtp.subspace.kernel.org;
dmarc=pass (p=reject dis=none) header.from=windriver.com
Authentication-Results: smtp.subspace.kernel.org;
spf=pass smtp.mailfrom=windriver.com
Received: from pps.filterd (m0250809.ppops.net [127.0.0.1])
by mx0a-0064b401.pphosted.com (8.17.1.24/8.17.1.24) with ESMTP id
412BQoac017730;
Fri, 2 Feb 2024 04:15:35 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com;
h=from:to:cc:subject:date:message-id:in-reply-to:references
:mime-version:content-transfer-encoding:content-type; s=
PPS06212021; bh=UYcTMeXPca+N73s96cgEXe+7bZsHSgkXHU5oK5Zc7aU=; b=
WCVxY8VinqwuwawmN5DF+AGfiuAh90rRLXOR+wjLtLmpSdHoVCi0pDsKX7J6IVWf
Q/oBTNzvgxR2xNc6ExsXuCUXlmjtiVXNeTa35z4TBuX8DeQalh9LbykqsnvWWAUQ
0VVCLjf5li+K0OlJbHFqSQY/n3/PCkbPdFcaQMZRIIwB4GfrLp4Jy8/3Wnyefuga
S3jVRC3SONfcWGKj7vCkmreaL5+kt5DxrehB+Q4EVlxTZVedTfPTgDGE6drJ/VaH
LkVvwLWySOta2yvp2nxdQm03T1RHvTyiDUSawWlVlOrDqUPklCMusNsha8A9ek5W
724xz/iA7/RfpEZd1IuSoQ==
Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com
[147.11.82.254])
by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3w0puv0dvd-1
(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT);
Fri, 02 Feb 2024 04:15:35 -0800 (PST)
Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by
ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server
(version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
15.1.2507.35; Fri, 2 Feb 2024 04:15:34 -0800
Received: from pek-lpd-ccm6.wrs.com (147.11.136.210) by
ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id
15.1.2507.35 via Frontend Transport; Fri, 2 Feb 2024 04:15:32 -0800
From: Lizhi Xu <lizhi.xu@windriver.com>
To: <syzbot+7a3d75905ea1a830dbe5@syzkaller.appspotmail.com>
CC: <asmadeus@codewreck.org>, <ericvh@kernel.org>,
<linux-fsdevel@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
<linux_oss@crudebyte.com>, <lucho@ionkov.net>,
<syzkaller-bugs@googlegroups.com>, <v9fs@lists.linux.dev>
Subject: [PATCH next] fs/9p: fix uaf in in v9fs_stat2inode_dotl
Date: Fri, 2 Feb 2024 20:15:31 +0800
Message-ID: <20240202121531.2550018-1-lizhi.xu@windriver.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <00000000000055ecb906105ed669@google.com>
References: <00000000000055ecb906105ed669@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
X-Proofpoint-GUID: F0ZlN-hNRdusUqWNtk5stVihewg4qzWd
X-Proofpoint-ORIG-GUID: F0ZlN-hNRdusUqWNtk5stVihewg4qzWd
X-Proofpoint-Virus-Version: vendor=baseguard
engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26
definitions=2024-02-02_06,2024-01-31_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
priorityscore=1501
malwarescore=0 adultscore=0 suspectscore=0 impostorscore=0 clxscore=1011
lowpriorityscore=0 spamscore=0 mlxlogscore=753 phishscore=0 mlxscore=0
bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1
engine=8.19.0-2401310000 definitions=main-2402020090
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1789789451323862705
X-GMAIL-MSGID: 1789789451323862705
|
| Series |
[next] fs/9p: fix uaf in in v9fs_stat2inode_dotl
|
|
Commit Message
Lizhi Xu
Feb. 2, 2024, 12:15 p.m. UTC
The incorrect logical order of accessing the st object code in v9fs_fid_iget_dotl
is causing this uaf.
Fixes: 724a08450f74 ("fs/9p: simplify iget to remove unnecessary paths")
Reported-and-tested-by: syzbot+7a3d75905ea1a830dbe5@syzkaller.appspotmail.com
Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
---
fs/9p/vfs_inode_dotl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Comments
On Fri, Feb 02, 2024 at 08:15:31PM +0800, Lizhi Xu wrote: > The incorrect logical order of accessing the st object code in v9fs_fid_iget_dotl > is causing this uaf. > > Fixes: 724a08450f74 ("fs/9p: simplify iget to remove unnecessary paths") > Reported-and-tested-by: syzbot+7a3d75905ea1a830dbe5@syzkaller.appspotmail.com > Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com> Tested-by: Breno Leitao <leitao@debian.org>
Lizhi Xu wrote on Fri, Feb 02, 2024 at 08:15:31PM +0800: > The incorrect logical order of accessing the st object code in v9fs_fid_iget_dotl > is causing this uaf. Thanks for the fix! Eric, this is also for your tree. > > Fixes: 724a08450f74 ("fs/9p: simplify iget to remove unnecessary paths") (careful if you rebase your tree as this commit isn't merged yet) > Reported-and-tested-by: syzbot+7a3d75905ea1a830dbe5@syzkaller.appspotmail.com > Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com> Reviewed-by: Dominique Martinet <asmadeus@codewreck.org>
diff --git a/fs/9p/vfs_inode_dotl.c b/fs/9p/vfs_inode_dotl.c index ef9db3e03506..2b313fe7003e 100644 --- a/fs/9p/vfs_inode_dotl.c +++ b/fs/9p/vfs_inode_dotl.c @@ -78,11 +78,11 @@ struct inode *v9fs_fid_iget_dotl(struct super_block *sb, struct p9_fid *fid) retval = v9fs_init_inode(v9ses, inode, &fid->qid, st->st_mode, new_decode_dev(st->st_rdev)); + v9fs_stat2inode_dotl(st, inode, 0); kfree(st); if (retval) goto error; - v9fs_stat2inode_dotl(st, inode, 0); v9fs_set_netfs_context(inode); v9fs_cache_inode_get_cookie(inode); retval = v9fs_get_acl(inode, fid);